ICAEW THOUGHT LEADERSHIP

FUTURE OF AUDIT

What auditors do: the scope of audit

FUTURE OF AUDIT WHAT AUDITORS DO: THE SCOPE OF AUDIT

This publication explains in simple terms what

auditors do, why audits are necessary and their current
limitations, and what auditors do and don’t audit.

It is intended to serve as background reading for our

2019/20 ‘The future of audit’ thought leadership essays.
They, inter alia, are designed to inform the various
inquiries relevant to audit and regulation in progress
at the time of writing, including by Sir Donald Brydon,
Sir John Kingman, the CMA and BEIS.

We hope this background paper will help directors,

politicians, investors and policymakers understand the
current model of UK audit.

© ICAEW 2019

All rights reserved. If you want to reproduce or redistribute any of the material in this publication, you should first get
ICAEW’s permission in writing. ICAEW will not be liable for any reliance you place on the information in this publication.
You should seek independent advice.

2
FUTURE OF AUDIT WHAT AUDITORS DO: THE SCOPE OF AUDIT

Contents

What auditors actually do 2

Why audits are needed, and their current limitations 4
Audit reports and other ways for auditors to communicate 5
What gets audited and what doesn’t 6
Rethinking audit scope 7

1
FUTURE OF AUDIT WHAT AUDITORS DO: THE SCOPE OF AUDIT

What auditors actually do

Questions about the value of audit as it stands and calls for auditors to do more are nothing new. But
claiming that the only real problem lies in the fact that audits and auditors are misunderstood, and that
the solution therefore lies in ‘educating the public’, is no longer acceptable, if it ever was.
A clear understanding of what auditors do now is important if opportunities for extending the scope of
what can and should be audited are to be explored, if what auditors currently do is to be enhanced, and
if confidence in the value of audit and other assurance services is to be improved. In this paper we focus
on the audit of listed and other public interest entities rather than smaller audits, although many of the
principles apply to both.
Essentially, an audit involves three elements:
• a
 substantial risk assessment: auditors build up a detailed understanding of the business to enable
them to assess the risk that the financial statements as a whole might be materially misstated, and the
risk that the individual elements within the financial statements might be materially misstated. The
greater the risk, the better the audit evidence will need to be;
• e
 vidence-gathering in response to the risk assessment, intended to reduce the risk that there
will still be a material misstatement, even after the audit, to an acceptable level. A great deal of
evidence-gathering is about challenging management and corroborating explanations, ie, not taking
explanations at face value, even if they appear to be plausible; and
• the audit opinion reported to shareholders, based on the evidence obtained.
Some risks may be common to different companies in the same sector, but the extent of the risk is often
different and no two companies are the same; the assessed risks of material misstatement are always
unique. The ability to identify and assess risk effectively is a critical audit skill, requiring substantial
resource, training and experience. Auditors look for what might be missing, as well as what they are
presented with, and they are required to exercise professional scepticism throughout the audit. This
means that any suggestion that something might be wrong must be investigated and that conflicting
evidence cannot be ignored, although it does not mean that auditors have to assume that everything
they are presented with is necessarily wrong or fabricated. Professional bodies, auditors, auditing
standard-setters and academics continue to work on the impact of conscious and unconscious bias in
audit, and there have been important developments in recent years in techniques that help to
counteract it.
Higher-risk areas can relate to revenue, debtors, inventory, financial instruments, construction contracts
or the valuation of assets and liabilities more generally, for example. It is widely acknowledged that
companies in which financial reporting is well controlled are easier to audit than those in which it is not,
not least because fraud is easier to conceal in companies with a poor control environment.
Auditors look for any misstatement, regardless of how it is caused. If they suspect that material
misstatements might be due to fraud, rather than simple error, which is much less likely to be concealed,
they are required take a very different approach to evidence-gathering in that area. And an entity’s
compliance with laws and regulations, including the legality of dividends, is always relevant to the audit if
misstatements arising from non-compliance might be material.
Risk assessment and evidence-gathering both involve evaluating and often testing controls, discussions
with directors, senior management and staff, and a variety of analytical procedures and detailed tests
of transactions and balances, some of which has been substantially enhanced in recent years by the
use of data analytics. Auditors do not just look at evidence generated by the company. Confirmation
of transactions and balances with third parties is a routine audit procedure, including confirmation
of debtors, creditors, inventory and bank balances. Developments in data analytics increasingly
enable auditors to compare internally generated information with independently generated data and
information.

2
FUTURE OF AUDIT WHAT AUDITORS DO: THE SCOPE OF AUDIT

All of this is done with a view to obtaining sufficient, appropriate audit evidence to support the audit
opinion which is reported to shareholders. Audits are performed in accordance with UK auditing
standards with which all UK auditors are required to comply.
UK auditing standards are available for anyone to read on the Financial Reporting Council’s website.
They are closely aligned with International Standards on Auditing (ISAs) used in over 175 countries. Both
run to well over 1,000 pages of detailed requirements and guidance. In addition to the basics noted
above – covering risk assessment, evidence-gathering and reporting – they cover more detailed areas
such as sampling, group audits, and work on opening balances and related party transactions.
Auditors are specifically required to evaluate the appropriateness of accounting policies, the
reasonableness of estimates and the overall presentation and structure of the financial statements. They
are required to obtain written representations from management on a number of matters and, hardly
surprisingly, comply with extensive documentation requirements. The documentation requirements
serve as a record, for quality management purposes, and demonstrate compliance with the relevant
requirements to internal and external reviewers. Audit firms embed these requirements and the
associated guidance in their methodologies.
Auditors are also required to comply with detailed legal, regulatory, ethical and quality management
requirements, including independence requirements. They report their audit opinion to the shareholders
and they may also be required to report specific matters to regulators – such as the Prudential Regulation
Authority for companies in the financial services sector, or the Solicitors Regulation Authority for legal
services firms. Legislation permits and obliges auditors – among others – to report suspicions of money
laundering or drug trafficking, for example, to the relevant authorities. These rights and duties have been
extended in recent years.

3
FUTURE OF AUDIT WHAT AUDITORS DO: THE SCOPE OF AUDIT

Why audits are needed, and their current

limitations
Audits of financial statements are needed to hold directors to account. The directors who run companies
manage assets entrusted to them by the shareholders, who own those companies, and by third parties
who extend credit to them. Many others also have an interest in how companies are run. Holding
directors to account involves requiring them to prepare financial statements. For financial statements to
be credible, an independent audit is required. Auditors report to shareholders on the ‘truth and fairness’
of the financial statements prepared by directors.
What does ‘true and fair’ mean? To give a true and fair view, financial statements must not be materially
misstated. They must be prepared, in all material respects, in accordance with accounting standards and
legal requirements. But that is not necessarily enough: they may need to go further, or even depart from
those standards, to give a true and fair view, although that would be unusual.
An audit provides auditors with ‘reasonable’ assurance to support their audit opinion. This is a high
but not absolute level of assurance, meaning that there is an unavoidable risk that some material
misstatements may not be detected in a properly performed audit. UK auditing standards state that
absolute assurance is not possible because of the inherent limitations of an audit, which include the
practical and legal limitations to obtaining audit evidence, and time and cost constraints. This is not to
say that auditors are permitted to accept inadequate audit evidence; on the contrary, in the absence of
persuasive audit evidence, auditors are required – not merely permitted – to qualify their audit report.
There is a legitimate expectation that the risk of auditors failing to detect a material misstatement will be
reduced to an acceptable level. What auditors do not and cannot do under the current audit model is
eliminate the risk that they will fail to detect a material misstatement altogether. This comes as a shock to
some who believe that this simply should not be the case. Others want to know what more it would take
to enable auditors to eliminate the risk. Others again believe that it would be impossible to eliminate the
risk entirely.
The word ‘material’ is important here. What is ‘material’ is essentially a matter of judgement: accounting
standards define something as material if, ‘omitting, misstating or obscuring it could reasonably be
expected to influence the decisions that the primary users of general purpose financial statements make
on the basis of those financial statements.’
Primary users include shareholders and creditors, and general purpose financial statements include
those that usually appear in annual reports. Materiality has both quantitative and qualitative aspects: the
way something is presented can matter as much as the absolute amounts involved. Materiality levels can
be many millions of pounds in a large multinational group of companies, and financial statements have
never been audited ‘to the penny’ because shareholders and regulators want financial statements that
are audited at a reasonable cost, in a reasonable time. Many figures in the financial statements – such as
depreciation and inventory write-offs – are in any case very much estimates, rather than exact amounts,
requiring the application of judgement.
Auditing plays an important role in maintaining confidence in financial reporting, despite its limitations.
In its absence, financial reporting would almost certainly be highly unreliable. Procedures performed
and extended discussions with management serve to ensure that material misstatements – including
those arising from fraud, as well as error – are corrected. Auditors help ensure that boundaries are not
pushed too far, particularly when it comes to ‘aggressive’ accounting policies or excessively optimistic
or unfounded estimates and assumptions. Very few audits result in no adjustments at all, and it is not
uncommon for auditors’ discussions with directors to go right down to the wire. In practice, auditors do
sometimes have to refer to the possibility of using the ‘nuclear’ option – a qualified audit report.

4
FUTURE OF AUDIT WHAT AUDITORS DO: THE SCOPE OF AUDIT

Audit reports and other ways for auditors to

communicate
Audit reports are far from the only communications tool in the auditors’ armoury. UK auditing standards
require auditors to communicate with ‘management and those charged with governance’ – including
executive and non-executive directors – throughout the audit on a variety of matters. But until recently,
the audit opinion was largely limited to a ‘binary’ pass-or-fail opinion; in the auditor’s opinion, the
financial statements either did or did not give a true and fair view. Beyond this, however, there were,
and still are, four basic ways of ‘qualifying’ audit reports and one method of ‘emphasising’ a particular
matter. While ‘emphases of matter’ – drawing attention to a disclosure regarding dependence on a
single source of funding, for example – are not common in audit reports on the financial statements of
listed companies, they are issued from time to time. However, qualified audit reports on the financial
statements of listed companies are genuinely rare.
Generally speaking, there is sufficient audit evidence available for auditors to form an audit opinion and
if auditors find something wrong, directors will – sometimes under pressure – seek to correct it rather
than suffer the embarrassment and more serious consequences of a qualified audit report, which can
lead to the suspension of trading in a company’s shares. A qualified audit report on a bank’s financial
statements, for example, might even become a self-fulfilling prophecy and risk causing a run on the
bank. But auditors cannot force directors to change the financial statements. If directors refuse to make a
change auditors believe is necessary, the auditors’ only option is to qualify the audit report.
UK audit reports on listed, other public interest and some other entities must now also include:
• ‘key audit matters’ (KAM);
• an explanation of how materiality was applied, including the materiality level used; and
• information about the scope of the audit, including an explanation of how auditors addressed the
KAM they identified.
For those prepared to study them, these new extended reports can be enlightening. They represent
a genuine sea change and cover in some detail areas in which audit effort was focused, why and how
auditors approached those areas, and how they went about the audit more generally. The reporting of
KAM is intended to facilitate discussion between auditors and audit committees, and between audit
committees and investors (shareholders). Some auditors believe that there is scope for audit committees
and investors to engage more fully in these discussions and that investors could make better use of KAM
in their engagement with companies.
In the past, audit reports conveyed very little sense of variation, and KAM undoubtedly provide more
colour. But there are now calls for auditors to report more ‘graduated’ audit findings: to comment on
which accounting estimates they believe are more risky, for example, or those they consider to be at
the more ‘aggressive’ end of the spectrum, on the overall degree of conservatism displayed in the
preparation of the financial statements, or on the level of subjectivity involved in determining a valuation.
Allied to this is the possibility of conveying some sense of the variation in the levels of assurance auditors
are able to gather in different audit areas.

5
FUTURE OF AUDIT WHAT AUDITORS DO: THE SCOPE OF AUDIT

What gets audited and what doesn’t

Audited financial statements generally appear at the back of annual reports. Commonly included in
the front end are financial and other highlights, including key performance indicators (KPIs), a strategic
report, statements by the chairman and chairs of audit, remuneration and risk committees, and
environmental, social and governance (ESG) information.
For many years, audit reports referred to the information audited using page numbers. But the annual
report within which the financial statements are housed has grown, what auditors are required to do
has become more complex, the page numbers have disappeared and there remain misunderstandings
about how much of the annual report auditors actually audit. The solution is not simply a case of
re-instating the page numbers.
A random sample of five annual reports of FTSE 100 companies1 for 2018 showed that between 25%
and 40% of the total number of pages contained at least some audited information. This generally
consisted of two elements only: the audited financial statements, and information elsewhere in the
annual report concerning directors’ remuneration. This does not mean, however, that auditors simply
ignore all of the other front-end information.
Successive waves of changes to company law, the UK Corporate Governance Code (the UK Code) and
the continuing obligations of listing have steadily increased the procedures auditors are required to
perform on the other information that accompanies audited financial statements. In short, auditors are
required to ‘read’ and/or ‘review’ specific parts of the annual report in various different ways.
The current audit model requires auditors to read (in a literal sense) all of the other information for
inconsistencies with the audited information and the auditors’ knowledge of the business obtained
during the audit. They are required to review the directors’ viability statement and assessment of
principal risks for compliance with the UK Code, and they must state whether in their opinion the
strategic and directors’ reports are prepared in accordance with legal requirements. But there are no
specific procedures auditors are required to perform on the critical KPIs.
The current read requirement involves substantially less work than a review, and both read and
review requirements involve substantially less work than an audit. For example, directors are currently
required to make a statement to the effect that the annual report in its entirety is ‘fair, balanced and
understandable’. Auditors are not currently required to provide assurance on that statement, or on the
KPIs. If they were, it is likely that a great deal more work on controls over the preparation of the statement
and the KPIs would be required. Enhancing current requirements would require more work – despite the
fact that firms often do more than is actually required on the other information – but it might also better
meet expectations.

1
Diageo, Vodafone, Severn Trent, EasyJet and M&S, accessed online 11 March 2019.

6
FUTURE OF AUDIT WHAT AUDITORS DO: THE SCOPE OF AUDIT

Rethinking audit scope

An audit is not an insurance policy that pays out if the financial statements are misstated. It is a
professional opinion based on work performed according to auditing standards that have developed
over many years and have been revised and revised again with the benefit of hindsight. Audit opinions,
and the increasingly lengthy and complex auditing standards on which they are based, may be
embedded in company law, regulation and professional practice but they are not written in stone and
they can be changed.
There is undoubtedly room for auditors to do more. While the current audit model does not involve
any form of assurance or commentary on the full annual report – on the KPIs, the viability of an entity,
or on the quality of its internal controls, among other things – none of these is impossible. Reporting
on internal controls over financial reporting, for example, is already in place in the US and Japan.
Understanding how those regimes work, and how effective they are, will be important when considering
if and how a similar regime might be introduced in the UK.
Upcoming essays in this series will examine a number of these areas in more detail.

7
The future of audit – your views
The collapse of Carillion in 2018 has led to increased political and public scrutiny of the audit
profession, and has eroded trust in auditors. As discussions about the future of audit continue
to evolve, the Audit and Assurance Faculty intends to influence the debate through a series
of succinct, high-level thought leadership essays that consider a range of issues directly or
indirectly relevant to the debate. We would welcome your views on these issues. Please email
nigel.sleigh-johnson@icaew.com

All published reports are available at icaew.com/futureofaudit

The ICAEW Audit and Assurance Faculty is the
professional and public interest voice of audit and
assurance matters for ICAEW and is a leading authority
in its field. Internationally recognised as a source of
expertise, the faculty is responsible for submissions to
regulators and standard setters and provides a range
of resources to professionals. It also offers practical
assistance in dealing with common audit and
assurance problems.

The faculty is producing a series of succinct, high-level

thought leadership essays on themes that are relevant
to the debate on the future of audit. They are designed
to inform the various inquiries relevant to audit and
regulation, and to improve the understanding of these
by boards, investors, politicians, policymakers and
others. These are available at icaew.com/futureofaudit

For more information on the faculty, the current

work programmes and how to get involved, visit
icaew.com/audit

There are over 1.8m chartered accountants and students

around the world − talented, ethical and committed
professionals who use their expertise to ensure we have
a successful and sustainable future.

Over 180,000 of these are ICAEW Chartered

Accountants and students. We train, develop and
support each one of them so that they have the
knowledge and values to help build local and global
economies that are sustainable, accountable and fair.

We’ve been at the heart of the accountancy profession

since we were founded in 1880 to ensure trust in
business. We share our knowledge and insight
with governments, regulators and business leaders
worldwide as we believe accountancy is a force for
positive economic change across the world.

www.charteredaccountantsworldwide.com
www.globalaccountingalliance.com

ICAEW
Chartered Accountants’ Hall
Moorgate Place
London
EC2R 6EA
UK

T +44 (0)20 7920 8100

E generalenquiries@icaew.com
icaew.com

© ICAEW 2019 METCAH20004 05/19